Many government, commercial, and other organizations make use of multi-functional ID cards which have "Smart Card" technology. However, I think it is beyond our scope to comment as to who specifically does or does not use them, or why. In many cases, such commentary would be speculative or subjective in nature. In others, they could involve disclosing organizational information which is not proper for a public forum.
–
IsziApr 17 '12 at 18:29

Added another question to help balance it out.
–
DavidApr 17 '12 at 18:46

2

In my opinion these are two separate questions: 1, are they widely used and what kind of organizations use them, and 2, what are the pros and cons. I disagree with @Iszi that tehre is any "disclosing organizational information" problem. CAC and similar cards are far from secret.
–
Mark BeadlesApr 17 '12 at 18:56

3

Every GSM sim card, every chip and pin credit card (EMV), in Europe most people have 3 or four smartcards on them today. They are used in a slightly different way (though authentication of some kind is programmed into them).
–
ewanm89Apr 17 '12 at 19:43

1

@Iszi Of course, but that doesn't mean that answering the question is outside the scope of this forum.
–
Mark BeadlesApr 17 '12 at 20:30

5 Answers
5

I know of a range of organisations who use smartcards either for access to buildings, access to computers or terminals (eg citrix) or for both. It is the sort of organisations you would expect - ones that have a high impact if unathorised access is gained by an attacker.

Also, as @ewanm89 commented, most European bank cards are now smart cards - and some banks use this authentication (eg one of my banks will require me to insert my card into a card reader, input my PIN, and then input a number from a payment authentication page and type the number some crypto function on the card gives me back into the page to prove I physically have the card, as well as knowing the PIN)

Yeah, I'm mainly interested in using them to access computers, possibly websites. Very similar to the DoD's CAC (I've seen DoD laptops that won't unlock without a CAC; and also DoD sites like the military access sites (MyPay, Military branch Portals, etc.)). As for the laptops, not sure on the specifics, but do they require a password/passcode and/or a fingerprint as well as the CAC to unlock?
–
DavidApr 18 '12 at 22:09

CAC cards themselves are used only by the US Department of Defense. But similar cards are used elsewhere. By 'similar' I mean embedded-chip plastic cards that carry a picture and other secure identity information and that use PKI.

Many companies use various hardware devices (e.g., RSA SecurID) for authentication. I don't know how many other organizations use smartcards (like the CAC card) for security.

One limitation of smartcards and CAC cards is that they do not protect against malware on your PC (e.g., the man-in-the-browser attack). In particular, malware on your computer can record your PIN using a keylogger (since that is typed on your keyboard and only then sent to the smartcard), and then can send arbitrary requests to the smartcard for signing. This is basically a man-in-the-middle attack, with the malware getting in the middle between the user and the smartcard. Since the smartcard has no independent input channel or output channel, it has no way to know it is being fooled in this way, and the smartcard will sign anything the malware asks. Thus, malware on your PC completely defeats all security benefits of the smartcard. (The same is true of RSA SecurID devices as well.)

This means that, arguably, the primary benefit provided by a CAC card or smartcard is that it supports secure authentication to a remote site, as long as there is no malware on your local machine. However, many other hardware devices (e.g., RSA SecurID) provide similar benefits, so the added value of a smartcard is debateable.

"One limitation of smartcards and CAC cards is that they do not protect against malware on your PC (e.g., the man-in-the-browser attack)." Lets be honest neither do RSA token devices. Let us not forget that RSA has in the past been compromised, which lead to the device's secret tokens being compromised, at least in the case of CAC cards the knowlege of the secret token only exists in the human's brain. Good security means the card is also replaced every 2-3 years.
–
RamhoundApr 17 '12 at 18:56

@Ramhound, Absolutely! Neither protects against malware on the PC. That's why I said that the benefits of smartcards over RSA SecurID are debateable.
–
D.W.Apr 17 '12 at 19:28

In the last 18 months the company that makes that RSA security tokens was compromised. information on hundreds of thousands of their devices ( in use by their customers ) was leaked. This information allowed the criminals who gained access to this information, access another companies information ( although to be fair there was a social engineering aspect of that attack also ) provided that information stays save the RSA security devices is one of the most secure ways of electronic device access.

Common Access Cards ( aka Smart Cards ) contained a pki security certificate. I cannot speak to who else uses them, I have seen them used by both a defense contractor and the govenment agencies.

As pointed out there is one weakness to the cards, the human element, the password and/or pin used to decrypt the information encrypted by security certificate can be harvested. There is/was an exploit in one of the clients that provides a means to extract the certificate information on the card.

The important aspect about these smart cards is you must have access to the certificate which is only contained on the card. When the card no longer is visible to the system, the certificate is remove fromt he system, proper system configuration is a must.

A man in the middle attack can be prevented, but if it happens the attacker only has access, while they have the ability to use the certificate.

Certificates that expire within a small amount of a time ( 2 to 3 years ) is a must.

Yeah of course, Government or you can say that any types of Organization make to use of
multifunctional ID cards which is easily to identify the employees designation and easily to search.police id cards